Stanford is sending notification letters to individuals who may have been affected by a data security incident involving the Stanford Department of Public Safety.

On Sept. 27, 2023, the Department of Public Safety discovered that it was the victim of a ransomware attack. Upon discovering the attack, Stanford notified federal and local law enforcement and immediately began investigating the incident with the assistance of a respected forensic investigator.

The investigation determined that an unauthorized individual(s) gained access to the Department of Public Safety’s network between May 12, 2023, and Sept. 27, 2023. The unauthorized access was ended and the network was secured shortly after the unauthorized access was first discovered.

The incident does not involve any Stanford systems or networks beyond the one used by the Department of Public Safety.

Also, at this time there is no evidence that the accessed information has been misused.

The nature and scope of the incident required time to analyze. At this point, the forensic investigation has identified individuals whose data may have been impacted in the attack. To the extent mailing addresses are available, potentially impacted individuals will be receiving mailed notifications shortly with information about identity protection services that will be made available to them free of charge.

The personal information that may have been affected varies from person to person but could include date of birth, Social Security number, government ID, passport number, driver’s license number, and other information the Department of Public Safety may have collected in its operations. For a small number of individuals, this information may also have included biometric data, health/medical information, email address with password, username with password, security questions and answers, digital signature, and credit card information with security codes.

The law enforcement investigation of the incident is ongoing.